Security Vulnerabilities and Staying Alert

It is hard to believe that these are all headlines readers have seen in less than the course of 1 year on various news and security-related websites. After a while, news of a new security breach almost becomes mind-numbing. “Do we really need to be worried about all of these ‘critical vulnerabilities’?”, you ask.

With as frequently as these vulnerabilities, security breaches and hacks come to light, it is understandable that people would be desensitized to news of yet another security flaw. Unfortunately, it is important not to ignore security vulnerabilities, especially when 3rd party information is involved.

For example, let’s pretend that you run a nonprofit organization whose website is built on Drupal. Additionally, CiviCRM is your Constituent Management System. If you ignored the recent Drupal Core vulnerability (and didn’t update your Drupal website code), then chances are your website was hacked, your web server compromised, and all data about your donors and/or clients stored in CiviCRM stolen (including names, addresses, email addresses, phone numbers, and other types of data that you keep about your constituents). And you wouldn’t even be aware that this happened!

So what do you do? How do you navigate through the seemingly endless announcements of yet another security breach or security vulnerability?

As a self-described security nut-case, my recommendation would to be develop a close relationship with trusted security consultants, or information technology professionals who have experience in security. This can either be informal (one of your volunteers or someone in your church), or it can be more formal (one or two experts who sit on your nonprofit’s board, or a consultant that you hire). Ask your trusted professional to monitor news related to all of the bits & pieces of the software your organization uses.

Once this is complete, sign up to an emailing list that alerts you to new security issues for your software (if your software vendor maintains such a list, as many do). Drupal maintains such a list, for example.

Another way to stay “in the loop” about general security news is to follow security consultants and experts on twitter. More often than not, I am first alerted to a particular vulnerability on twitter. You can follow us at @DevelopCENTS.